MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

libGLESv2.dll is a legitimate OpenGL ES graphics library with no malicious detections across 71 engines and common prevalence; process-injection heuristic is expected graphics-driver behaviour.

Trust score88High trust
MT AI confidence · 92%
libGLESv2.dll
5.2 MB
9b203e40323b49dad2e23ba847d4
Antivirus engines
0 of 75 flagged
Code signing
Unsigned
Age
First seen 1y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

libGLESv2.dll is a canonical graphics library from the Khronos Group OpenGL ES standard. The file shows no malicious detections (0/71 engines), with 17 high-trust engines explicitly reporting it clean. Its prevalence is common_old (2,962 submissions, 2,430 unique sources), indicating it is an established, widely-distributed commodity file. The triggered 'ProcessInjection' heuristic (T1055) reflects legitimate graphics-driver behaviour: graphics DLLs routinely inject themselves into application processes to provide rendering services. PE analysis shows normal entropy and no packing. No sandbox malicious verdict, no malicious host contact, no dropped malicious children, and no external YARA or CIRCL hits. The combination of universal tier-1 silence, high prevalence, and legitimate graphics-library function strongly indicates this is a benign file.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, Ikarus, DrWeb, F-Secure, GData, Emsisoft, Avira, AVG all undetected)

  2. prevalence.classification='common_old' — 2430 unique submitters, 2962 submissions since 2025-06-06; established commodity file

  3. Filename 'libGLESv2.dll' is the canonical OpenGL ES 2.0 graphics library (Khronos Group standard); no brand mismatch

  4. triggeredHeuristics: 'MalwareTips.Synth.ProcessInjection' fired on T1055, but rundll32 injection is expected for graphics DLLs; PE entropy normal (6.41 .text, 5.73 .rdata), no packing

  5. behaviour.hasMaliciousSandboxVerdict=false; no malicious contacted hosts, no dropped malicious children, no external YARA/CIRCL hits

Points in its favour
  • All 17 tier-1 antivirus engines report the file clean (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, Ikarus, DrWeb, F-Secure, GData, Emsisoft, Avira, AVG, and others)
  • Prevalence: common_old classification with 2,962 submissions from 2,430 unique sources over 369 days
  • Filename matches canonical OpenGL ES 2.0 library (Khronos Group standard)
  • PE analysis: normal entropy, no packing, no high-entropy code
  • Sandbox execution shows legitimate OpenGL ES export functions, not obfuscated malware
What to do

This file is safe. It is the standard OpenGL ES graphics library used by graphics drivers and 3D applications. No action is required unless you have specific concerns about its source.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
5

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1055T1071T1218.011
Spawned processes
15
$(unnamed)
"C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\init.dll",#1
$(unnamed)
C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\attachment.dll"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\attachment.dll",#1
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\attachment.dll",#1
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\attachment.dll,EGL_AcquireExternalContextANGLE
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\attachment.dll,EGL_BindAPI
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\attachment.dll,EGL_BindTexImage
+7 more processes captured.
Filesystem & mutexes
2
Files written1
  • \Device\ConDrv\\Connect
Mutexes created1
  • \Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis
MITRE ATT&CK profile
Defense evasion× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjection
    T1055
    high

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\init.dll",#1
Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 75 engines report this file as clean.
Hash 9b203e40323b… cross-referenced against 75 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy10 sections
.text
6.41
.rdata
5.73
.data
2.50
.pdata
6.13
.fptable
0.00
.tls
0.02
_RDATA
4.17
malloc_h
4.47
.rsrc
3.36
.reloc
5.46
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
2,430
Hundreds of people have uploaded this — common.
Total submissions
2,962
Includes repeat uploads by the same source.
First seen by VT
1y ago
Jun 6, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
6/6/2025, 2:53:53 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/8/2026, 11:39:43 AM
Scanned here
6/10/2026, 9:35:40 AM
File name
libGLESv2.dll
Size
5.17 MB
MIME type
(unknown)
Detected type
Win32 DLL
SHA-256
9b203e40323b49dad29546a52b8b67d200bba8ff4cab9709a79cede23ba847d4
MD5
11a4a07f31e4a91fff678c019b7736af
SHA-1
9912e11aa9c351be136474e0d0975e7964b1e124
PE imphash
39e0b47d01cae06f42d925fb79045509
First seen (VT)
6/6/2025, 2:53:53 AM
Last analysis (VT)
6/8/2026, 11:39:43 AM
First scan (MalwareTips)
6/10/2026, 9:35:40 AM
Last scan (MalwareTips)
6/10/2026, 9:35:40 AM
Behavior tags
pedll64bitsdetect-debug-environment
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.